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(54) Method and apparatus for recording of encrypted digital data 



(57) A method of recording transmitted digital data 
in which transmitted digital information CW 96 is 
encrypted 97 using a recording encryption key E(NE) 
98 and the resulting encrypted ECM message 99 stored 
on recording support medium. An equivalent of the 
recording encryption key E(NE) 100 is further encrypted 
by a recording transport key RT(A) 102 to form an EMM 
message 103 stored on the support medium together 
with the encrypted ECM message 99. 
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Description 

[0001 ] The present invention relates to a method and 
apparatus for recording scrambled digital data, for 
example television broadcasts. 
[0002] Transmission of encrypted data is well-known 
in the field of pay TV systems, where scrambled audio- 
visual information is broadcast typically by satellite to a 
number of subscribers, each subscriber possessing a 
decoder or integrated receiver/decoder (IRD) capable of 
desaambling the transmitted program for subsequent 
viewing. 

[0003] In a typical system, scrambled digital data is 
transmitted together with a control word for descram- 
bling of the digital data, the control word itself being 
encrypted by an exploitation key and transmitted in 
encrypted form. A decoder receives the scrambled dig- 
ital data and encrypted control word which uses an 
equivalent of the exploitation key to decrypt the 
encrypted control word and thereafter descramble the 
transmitted data. A paid-up subscriber will receive peri- 
odically the exploitation key necessary to decrypt the 
encrypted control word so as to permit viewing of a par- 
ticular program. 

[0004] With the advent of digital technology, the qual- 
ity of the transmitted data has increased many times 
over. A particular problem associated with digital quality 
data lies in its ease of reproduction. Where a descram- 
bled program is passed via an analogue link (e.g. the 
< < Peritel > ) link) fa viewing and recording by a standard 
VCR the quality remains no greater than that associated 
with a standard analogue cassette recording. The risk 
that such a recording may be used as a master tape to 
make pirate copies is thus no greater than with a stand- 
ard shop bought analogue cassette. 
[0005] By way of contrast, any descrambled digital 
data passed by a direct digital link to one of the new 
generation of digital recording devices (for example, a 
DVHS recorder) will be of the same quality as the origi- 
nally transmitted program and may thus be reproduced 
any number of times without any degradation of image 
or sound quality. There is therefore a considerable risk 
that the descrambled data will be used as a master 
recording to make pirate copies. 
[0006] French Patent Application 95 03859 shows one 
of overcoming this problem, by means of a system in 
which descrambled digital data is never allowed to be 
recorded on the digital recording medium. Instead, the 
decoder described In this application forwards the data 
for recordal on the support medium in its scrambled 
form. The control word necessary to desaamble the 
data is re-encrypted by means of another key and 
stored on the recording support with the scrambled 
data. This new key is known only to the 
receiver/decoder and replaces the exploitation key 
needed to obtain the control word for viewing of the pro- 
gram, 

[0007] The advantage of such a system is that the 
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data is never stored in a < ( clear >)form and cannot be 
viewed without possession of the new key, stored in the 
decoder. The system also possesses the advantage 
that, since the exploitation key changes on a monthly 
5 basis, the use of a key chosen by the decoder to re- 
encrypt the control word registered on the digital tape 
means that the decoder will still be able to decrypt the 
control word recorded on the tape even after the end of 
a subscription month. 
10 [0008] The disadvantage of the system proposed in 
this previous patent application is that the recording can 
only be viewed in conjunctfon with that particular 
decoder. If that decoder breaks down, or is replaced, 
the recording can no longer be replayed. Equally, it is 
IS not po^ble to play the recording directly in a digital 
recorder without connecting the decoder in the system. 
[0009] It is an object of the present invention in its 
broadest and specific aspects to overcome some or all 
of the problems associated with this known solution. 
20 [0010] According to the present invention, there is pro- 
vided a method of recording transmitted digital data in 
which transmitted digital information is encrypted by a 
recording encryption key and stored by a recording 
means on a recording support medium and character- 
's ised in that an equivalent of the recording enayption 
key is encrypted by a recording transport key and stored 
on the support medium together with the encrypted 
information. 

[0011] The advantage of this method lies in the fact 

30 that the specific encryption key used to encrypt the 
information is itself penmanently recorded with the asso- 
ciated encrypted information. In order to facilitate future 
access, and as will be described below, one or more 
safeguard copies of the recording transport key may be 

35 stored at another location than in the recorder. 

[001 2] In one embodiment, the information encrypted 
by the recording encryption key comprises control word 
information usable to descramble a scrambled data 
transmission also recorded on the support medium. 

40 Other emkxxiiments are conceivable, for example, in 
which the enaypted information corresponds simply to 
transmitted data that will be ultimately read or displayed, 
e.g. the audiovisual information Itself rather than a con- 
trol word used to descramble it. 

45 [0013] In one embodiment, the recording enayption 
key and/or recording transport key are stored on a port- 
able security module associated with the recording 
means. This may comprise, for example, any conven- 
ient microprocessor and/or memory card device, such 

50 as a PCMCIA card, a smart card, a SIM card etc. In 
alternative realisations, the keys may be stored in a 
security module permanently enfibodied in the recording 
means. 

[0014] In one embodiment, the transmitted informa- 
55 tion is encrypted prior to transmission and received by a 
decoder means befae being communicated to ttie 
recording means. The decoder may be physically sepa- 
rate or combined with the recording means. As will be 
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explained in further detail below, the transmitted infor- 
mation may be in some cases processed and/or reen- 
crypted by the decoder before being communicated to 
the recording means. 

[0015] The decoder means may itself be associated s 
with a portable security module used to store transmis- 
sion access control keys used to decrypt the transmitted 
encrypted information. In some embodiments, this may 
be distinct from the portable security module associated 
with the recording means. However, in the case of an io 
integrated decoder/recorder, for example, the same 
security module may be used to hold all keys. 
[0016] In one embodiment, the recording encryption 
key arxj/or recording transport key function in accord- 
ance with a first enayption algorithm and the transmis- is 
sion access control keys function in accordance with a 
second encryption algorithm. 
[0017] For example, the recording encryption and 
transport keys may use the symmetric DES algorithm, 
whilst the transmission keys function in accordance with 20 
a customised algorithm, unk^ue to the broadcast access 
control system. This enables the system manager to 
retain control over the algorithm chosen for the trans- 
mission keys whilst allowing a generic algorithm to be 
used for the keys relating to a recording. 25 
[0018] In one embodiment, the recording transport 
key is generated at a central recording authorisation 
unit arxJ a copy of tNs key communicated to the record- 
ing means. In the event of loss or destruction of the key 
support associated with the recording means a backup 30 
copy or at least the means to generate the the transport 
key will at all times be present at the central recording 
autiiorisation unit. 

[0019] For security reasons, the recording transport 
key is preferably encrypted by a furttier encryption key 35 
prior to being communicated to the recording means. 
This further encryption key may be based, for example, 
on an encryption key common to all recorder security 
modules diversified by the serial number of the security 
module, such that only that security module can read 40 
the message. 

[0020] In the case where the system comprises a 
receiver/decoder physically separate from the recording 
means it may be desirable for the recording means to 
possess the same access rights as the 45 
receiver/decoder, for example to permit the 
receiver/decoder to simply fonA^ard the data stiream "as 
is" to the recorder for processing. 
[0021] Accordingly, in one embodiment, a central 
access control system communicates transmission so 
access control keys to a portable security module asso- 
ciated with the recording means. These may conrprise. 
for example, a double of the keys normally held by the 
portable security nxxiule associated with the decoder 
and which are used to descrani)le transmissions. ss 
[0022] In tills embodiment, the recording means 
dIrecUy descrambles fransmitted informatbn using the 
transmission access keys prior to re-encryption of the 



information by the recording encryption key and storage 
on tiie support medium. 

[0023] In a similar manner as witii the communication 
of the fransport key the central access control system 
preferably encrypts tfie broadcast access confrol keys 
by a further encryption key prior to their comnujnication 
to flie recording meana This further encryption key may 
equally comprise an audience key common to all secu- 
rity modules diversified by tiie serial numfc>er of the 
recording means. 

[0024] In order to enable the certral access control 
system to correctly identify tiie broadcast access keys 
tiiat need to be forwarded to tiie recording means, the 
recording means preferably sends a request to the cen- 
tral access corrtrol system including information klentify- 
ing the broadcast access keys needed, the request 
being autiientif led by tiie recording means using a key 
unique to the recording means. This may conrespond, 
for example, to the key used to encrypt communications 
from the central access control system to the recording 
means. 

[0025] In tiie atx^e realisations of the invention, a 
number of diverse embodiments have been described, 
in particular in which a oenfral recording authorisation 
unit generates and maintains a copy of tfie recording 
transport keys arxJ in which a central access control 
system sends a duplicate set of fransmission access 
control keys to the recording means. Alternative embod- 
iments are possible. 

[0026] For example, in one embodiment comprising a 
decoder means and associated security module and a 
recording means and associated security module, a 
copy of tiie recording transport key is stored in the secu- 
rity module associated witii the decoder means. In ttiis 
way, a backup key for decrypting a recording wiO always 
be availat)ie even in the event of destruction or loss of 
tiie recorder security module. 
[0027] The recording t-ansport key may be generated, 
for example, by tiie recording means security nrxxlLde 
and communicated to tiie decoder means security mod- 
ule or vice versa. For security reasons, tiie recording 
transport key Is preferably encrypted before communi- 
cation to the decoder security oKxiule and deaypted by 
a key unique to tiie security module receiving the 
recording transport key 

[D028] This unk)ue key and its equivalent may be 
embedded in the respective security modules at the 
moment of their creation. However, alternatively the 
decoder security module and recording security module 
carry out a mutual authorisation process, tiie unique 
decryption key being passed to the other security mod- 
ule from the encrypting security module depending on 
tiie results of tiie mutual autiiorisation. 
[0029] In one embocfiment. tiie mutual autiiorisation 
step is carried out using, inter alia, an audience key 
known to both security nxxiules diversified by the serial 
number of each module. 

[QOSO] In a furttier development of this double security 
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module embodiment, the decoder means security mod- 
ule possesses transmission access control keys to 
decrypt the transmitted information in an encrypted 
form and a session key re-encrypt the information prior 
to communication to the recording means security mod- 5 
ule, the recording means security module possessing 
an equivalent of the session key to decrypt the informa- 
tion prior to encryption by the recording transport key 
[0031] This session key may be generated by the 
decoder means security module or recording means 10 
security module and communicated to the other module 
in encrypted form using an encryption key uniquely 
decryptable by the other security module. 
[00321 The present invention extends to a recording 
means for use in the above method, a decoder means is 
and a portable security module for use in each. 
[0033] The terms "scrambled" and "encrypted" and 
"control word" and "key" have been used at various 
parts in the text for the purpose of clarity of language. 
However, it will be understood that no fundamental dis- 20 
tinction is to be made between "scrambled data" and 
"encrypted data" or between a "control word" and a 
"key". Similarly, the term "equivalent key" is used to refer 
to a key adapted to decrypt data encrypted by a first 
mentioned key, or vice versa. Unless obligatory in view 25 
of the context or unless otherwise specified, no general 
distinction is made between keys associated with sym- 
metric algorithms and those associated with public/pri- 
vate algorithms. 

[0034] The term "receiver/decoder" or "decoder" used 30 
herein may connote a receiver for receiving either 
encoded or non-encoded signals, for example, televi- 
sion and/or radio signals, which may be broadcast or 
transmitted by some other means. The term may also 
connote a decoder for decoding received signals. 3S 
Embodiments of such receiver/decoders may include a 
decoder integral with the receiver for decoding the 
received signals, for example, in a "set-top box", such a 
decoder functioning in combination with a physically 
separate receiver, or such a decoder including addi- 40 
tional functions, such as a web browser or a video 
recorder or a television. 

[0035] As used herein, the term "digital transmission 
system" includes any transmission system for transmit- 
ting or broadcasting for example primarily audiovisual or as 
multimedia digital data. Whilst the present invention is 
particularly applicable to a broadcast digital television 
system, the invention may also be applicable to a fixed 
telecommunications network for multimedia internet 
applications, to a closed circuit television, and so on. so 
[0036] As used herein, the term "digital television sys- 
tem" includes for example any satellite, terrestrial, cable 
and other system. 

[0037] There will now be described, by way of exam- 
ple only, a number of embodiments of the invention, with ss 
reference to the following figures, in which: 

Figure 1 shows the overall architecture of a digital 



TV system according to this embodiment; 

Rgure 2 shows the architecture of the conditional 
access system of Rgure 1 ; 

Rgure 3 shows the encryption levels in the condi- 
tional access system; 

Rgure 4 shows the layout of a decoder and digital 
recording device according to this embodiment; 

Rgure 5 shows in schematic form the organisation 
of zones within the memory cards associated with 
the decoder and recorder of Rgure 4; 

Rgures 6 and 7 show the steps in the preparation of 
messages for communication between the decoder 
card and a centralised server In this first embodi- 
ment; 

Rgure 8 shows the cryptology architecture of the 
decoder card in generating a recording enayption 
key accorcfing to this first embodiment; 

Rgures 9 and 10 show the preparation of ECM and 
EMM messages for recordai on the digital recording 
support according to this first embodiment; 

Rgure 1 1 shows the decryption steps associated 
with the replay of a recording in this first embodi- 
ment; 

Rgure 12 shows in schematic form the organisation 
of zones within the memory cards of the decoder 
and recading device according to a second 
emlxxJiment of the invention; 

Rgures 1 3 and 14 show the initial mutual authorisa- 
tion steps and transfer of data between the decoder 
memory card and the recorder memory card 
according to this second embodiment; 

Rgure 15 shows the creation and communication of 
a session key to be used by both memory cards 
during recording of a programme in this second 
embodiment; 

Rgure 16 shows the operation of the recorder card 
to generate a recording encryption key in this sec- 
ond embodiment; 

Rgure 17 shows tiie treatment of ti'ansmission 
ECMs by the decoder card in order to communicate 
the control word CW in encrypted form to the 
recorder card in this second embodiment; 

Rgures 18 and 19 show the preparation of ECM 
and EMM messages for recordai on the digital 
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recording support according to this second embod- 
iment; and 

Figure 20 shows communication between a 
decoder card and a recorder card. s 

[0038] An overview of a digital television broadcast 
and reception system 1 is shown in Figure 1 . The inven- 
tion includes a mostly conventional digital television 
system 2 which uses the MPEG-2 compression system io 
to transmit compressed digital signals. In more detail, 
MPEG-2 compressor 3 in a broadcast centre receives a 
digital signal stream (for example a stream of audio or 
video signals). The compressor 3 is connected to a mul- 
tiplexer and saambler 4 by linkage 5. The multiplexer 4 is 
receives a plurality of further input signals, assembles 
one or more transport streams and transmits com- 
pressed digital signals to a transmitter 6 of the broad- 
cast centre via linkage 7, which can of course take a 
wide variety of forms including telecom links. 20 
[0039] The transmitter 6 transmits electromagnetic 
signals via uplink 8 towards a satellite transponder 9, 
where they are electronically processed and broadcast 
via a notional downlink 10 to earth receiver 1 1 . conven- 
tionally in the form of a dish owned or rented by the end 25 
user The signals received by receiver 1 1 are transmit- 
ted to an integrated receiver/decoder 12 owned or 
rented by the end user and connected to the end user's 
television set 13. The receiver/decoder 12 decodes the 
compressed MPEG-2 signal into a television signal for 30 
the television set 13. 

[0040] A conditional access system 20 is connected to 
the nujitiplexer 4 and the receiver/decoder 12. and is 
located partly in the broadcast centre and partly in the 
decoder. It enables the end user to access digital teievi- 3S 
sion broadcasts from one or more broadcast sippliers. 
A smartcard. capable of decrypting messages relating 
to commercial offers (that is. one or several television 
programmes sold by the broadcast supplier), can be 
inserted into the receiver/decoder 12. Using the 40 
decoder 12 and smartcard, the end user may purchase 
events in either a subscription mode or a pay-per-view 
mode. 

[0041 ] An interactive system 1 7. also connected to the 
multiplexer 4 and the receiver/decoder 12 and again 45 
located partly in the broadcast centre and partly in the 
decoder, may be provided to enable the end user to 
interact with various applications via a modemmed back 
channel 16. 

[0042] The conditional access system 20 v/ill now be so 
desaibed in more detail. With reference to Figure 2, in 
overview the conditional access system 20 includes a 
Subscriber Authorization System (SAS) 21 . The SAS 21 
is connected to one or more Subsaiber Management 
Systems (SMS) 22, one SMS for each broadcast sup- 55 
plier, by a respective TCP-IP linkage 23 (although other 
types of linkage couM atternatlvely be used). Alterna- 
tively, one SMS couM be shared between two broadcast 



suppliers, or one supplier could use two SMSs. and 
soon. 

[0043] First encrypting units in the form of ciphering 
units 24 utilising "mother' smartcards 25 are connected 
to the SAS by linkage 26. Second enaypting units 
again in the form of ciphering units 27 utilising mother 
smartcards 28 are connected to the multiplexer 4 by 
linkage 29. The receiver/decoder 1 2 receives a portable 
security nrxxJule. for example In the form of "daughter" 
smartcard 30. It is connected directly to the SAS 21 by 
Communications Servers 31 via the modemmed back 
channel 1 6. The SAS sends, amongst other things, sub- 
scription rights to the daughter smartcard on request. 
[0044] The smartcards contain the secrets of one or 
more commercial operators. The "mother" smartcard 
encrypts different kinds of messages and the "daughter" 
smartcards decrypt the messages, if they have the 
rights to do so. 

[0045] The first and second ciphering units 24 and 27 
comprise a racK an electronic VME card with software 
stored on an EEPROM. up to 20 electronic cards and 
one smartcard 25 and 28 respectively, for each elec- 
tronic card, one card 28 for enaypting the ECMs and 
one card 25 for encrypting the EMMs. 
[0046] The operation of the conditional access system 
20 of the digital television system will now be described 
in more detail with reference to the various components 
of the television system 2 and the conditional access 
system 20. 

Multiplexer and Scrambler 

[0047] With reference to Figures 1 and 2. in the txoad- 
cast centre, the digital audio or video signal is first com- 
pressed (or bit rate reduced), using the MPEG-2 
conpressor 3. This compressed signal is then transmit- 
ted to the multiplexer and saambler 4 via the linkage 5 
in order to be multiplexed with other data, such as other 
compressed data. 

[0048] The scran^ler generates a control word used 
in the saambling process and included in the MPEG-2 
stream in the multiplexer. The control word is generated 
internally and enables the end user's integrated 
receiver/decoder 12 to desaamble the programme. 
[0049] Access criteria, Indicating how the programme 
Is commercialised, are also added to the MPEQ-2 
stream. The programme nray be commercialised in 
either one of a number of "subscription" modes and/or 
one of a number of "Pay Per View" (PPV) nrxxies or 
events. In the subscription mode, the end user sub- 
scribes to one or more commercial offers, or 'bou- 
quets", thus getting the rights to watch every channel 
inside those bouquets. In the preferred emtxxiiment, up 
to 960 commercial offers may be selected from a bou- 
quet of channels. 

[0050] In the Pay Per View mode, the end user is pro- 
vided with the capatMlrty to purchase events as he 
wishes. This can be achieved by either pre-booking the 
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e^BvX in advance ("pre-book mode**), or by purchasing 
the event as soon as it is broadcast (Impulse mode"). In 
the preferred embodiment, all users are subscribers, 
whether or not they watch in subscription or PPV mode, 
but of course PPV viewers need not necessarily be sub- 
scribers. 

Entitlement Control Messages 

[0051] Both the control word and the access criteria 
are used to build an Entitlement Control Message 
(ECM). This Is a message sent in relation with a scram- 
bled program; the message contains a control word 
(which allows for the descrambling of the program) and 
the access criteria of the broadcast program. The 
access criteria and control word are transmitted to the 
second encrypting unit 27 via the linkage 29. In this unit, 
an ECM is generated, encrypted and transmitted on to 
the multiplexer and scrambler 4. During a broadcast 
transmission, the control word typically changes every 
few seconds, and so ECMs are also periodically trans- 
mitted to enable the changing control word to be 
desaambled. For redundancy purposes, each ECM 
typically includes two control words; the present control 
word and the next control word. 
[0052] Each service broadcast by a broadcast sup- 
plier in a data stream comprises a number of distinct 
components; for example a television programme 
includes a video component, an audio component, a 
sub-title component and so on. Each of these compo- 
nents of a service is individually scrambled and 
encrypted for subsequent broadcast to the transponder 
9. In respect of each scrambled component of the sen^- 
ice. a separate ECM is required. Alternatively a single 
ECM may be required for all of the scrambled compo- 
nents of a sen^ice. Multiple ECMs are also generated in 
the case where multiple conditional access systems 
control access to the same transmitted program. 

Emblement Management Messaoes f EMMs^ 

[0053] The EMM is a message dedicated to an indi- 
vidual end user (subscriber), or a group of end users. 
Each group may contain a given number of end users. 
This organisation as a group aims at optimising the 
bandwidth; that is. access to one group can permit the 
reaching of a great number of end users. 
[0054] Various specific types of EMM can be used. 
Individual EMMs are dedicated to individual subscrib- 
ers, and are typically used in the provision of Pay Per 
View services; these contain the group identifier and the 
position of the subscriber in that group. 
[0055] Group subscription EMMs are dedicated to 
groups of. say, 256 individual users, and are typically 
used in the administration of some subscription serv- 
ices. This EMM has a group identifier and a subscribers' 
group bitmap. 

[0056] Audience EMMs are dedicated to entire audi- 



ences, and might for example be used by a particular 
operator to provide certain free services. An "audience" 
is the totality of subsaibers having smartcards which 
bear the same conditional access system identifier (CA 
5 ID). Rnally a "unique" EMM is addressed to the unique 
Identifier of the smartcard. 

[0057] EMMs may be generated by the various oper- 
ators to control access to rights associated with the pro- 
grams transmitted by the operators as outlined above. 
10 EMMs may also be generated by the conditional access 
system manager to configure aspects of the conditional 
access system in general. 

Programme Transmission 

IS 

[0058] The multiplexer 4 receives electrical signals 
comprising encrypted EMMs from the SAS 21, 
encrypted ECMs from the second encrypting unit 27 
and compressed programmes from the compressor 3. 

20 The multiplexer 4 scrambles the programmes and 
sends the scrambled programmes, the encrypted 
EMMs and the encrypted ECMs to a transmitter 6 of the 
broadcast centre via the linl^ge 7. The transmitter 6 
transmits electromagnetic signals towards the satellite 

25 transponder 9 via uplink 8. 

Programme Reception 

[0059] The satellite transponder 9 receives and proc- 

30 esses the electromagnetic signals transmitted by the 
transmitter 6 and transmits the signals on to the earth 
receiver 11. conventionally in the form of a dish owned 
or rented by the end user, via downlink 10. The signals 
received by receiver 1 1 are transmitted to the integrated 

35 receiver/decoder 12 owned or rented by the end user 
and connected to the end user's television set 13. The 
receiver/decoder 12 demultiplexes the signals to obtain 
scrambled programmes with encrypted EMMs and 
encrypted ECMs. 

40 [0060] If the programme is not scrambled, that is. no 
ECM has been transmitted with the MPEG-2 stream, 
the receiver/decoder 12 decompresses the data and 
transforms the signal into a video signal for transmission 
to television set 13. 

45 [0061] If the programme is scrambled, the 
receiver/decoder 12 extracts the corresponding ECM 
from the MPEG-2 stream and passes the ECM to the 
"daughter" smartcard 30 of the end user. This slots into 
a housing in the receiver/decoder 12. The daughter 

50 smartcard 30 controls whether the end user has the 
right to decrypt the ECM and to access the programme. 
If not, a negative status is passed to the 
receiver/decoder 12 to Indicate that the programme 
cannot be descrambled. If the end user does have the 

55 rights, the ECM is decrypted and the control word 
extracted. The decoder 12 can then descramble the 
programme using this control word. The MPEG-2 
stream is decompressed and translated into a video sig- 
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nai for onward transmission to television set 13. 
Subscriber Management System (SMS) 

[0062] A Subscriber Management System (SMS) 22 
includes a database 32 which manages, amongst oth- 
ers, all of the end user files, commercial offers, sub- 
scriptions, PPV details, and data regarding end user 
consumption and authorization. The SMS may be phys- 
ically remote from the SAS. 

[0063] Each SMS 22 transmits messages to the SAS 
21 via respective linkage 23 which imply modifications 
to Of creations of Entitlement Management Messages 
(EMMs) to be transmitted to end users. 
[0064] The SMS 22 also transmits messages to the 
SAS 21 which imply no modifications or creations of 
EMMs but imply only a change in an end user's state 
(relating to the authorization granted to the end user 
when ordering products or to the amount that the end 
user will be charged). 

[0065] The SAS 21 sends messages (typically 
requesting information such as call-back information or 
billing information) to the SMS 22, so tiiat it will be 
apparent that communication between the two is two- 
way 

Subscriber Authorization System fSAS) 

[0066] The messages generated by the SMS 22 are 
passed via linkage 23 to the Subscriber Authorization 
System (SAS) 21. which in turn generates messages 
acknowledging receipt of the messages generated by 
the SMS 21 and passes these acknowledgements to 
the SMS 22. 

[0067] In overview the SAS conprises a Subscription 
Chain area to give rights for subscription mode and to 
renew the rights automatically each month, a Pay Per 
View Chain area to give rights for PPV events, and an 
EMM Injector for passing EMMs created by the Sub- 
scription and PPV chain areas to the multiplexer and 
scrambler 4, and hence to feed the MPEG stream with 
EMMs. If other rights are to be granted, such as Pay Per 
File (PPF) rights in the case of downloading computer 
software to a user's Personal Computer, other similar 
areas are also provided. 

[0068] One function of the SAS 21 is to manage the 
access rights to television programmes, available as 
commercial offers in subscription mode or soW as PPV 
events according to different nrxxJes of commercialisa- 
tion (pre-book mode, impulse mode). The SAS 21, 
according to those rights and to information received 
from the SMS 22. generates EMMs for the subscriber. 
[0069] The EMMs are passed to the Ciphering Unit 
(CU) 24 for ciphering with respect to the management 
and exploitation keys. The CU completes the signature 
on the EMM and passes the EMM back to a Message 
Generator (MG) in the SAS 21, where a header is 
added. The EMMs are passed to a Message Emitter 



(ME) as complete EMMs. The Message Generator 
determines the broadcast start and stop time and the 
rate of emission of the- EMMs, and passes these as 
appropriate directions along with the EMMs to the Mes- 
5 sage Emitter. The MG only generates a given EMM 
once; it is the ME which performs cyclk; transmission of 
the EMMs. 

[0070] On generation of an EMM, the MG assigns a 
unique identifier to the EMM. When the MG passes the 
10 EMM to the ME. it also passes the EMM ID. Ttiis ena- 
bles identification of a particular EMM at both the MG 
and the ME. 

[0071] In systems such as simutaypt which are 
adapted to handle multiple conditional access systems 
15 e.g. associated with multiple operators, EMM streams 
associated with each conditional access system are 
generated separately and multqplexed together by the 
multiplexer 4 prior to transmission. 

20 Encryption Levels of th^ System 

[0072] Referring now to Figure 3. a simplified outline 
of the encryption levels in the broadcast system will new 
be descrik)ed. The stages of encryption associated with 
25 the broadcast of the digital data are shown at 41, the 
ti'ansmission channel (eg a satellite link as described 
above) at 42 and the stages of decryption at the 
receiver at 43. 

[0073] The digital data N is scrambled by a control 
30 word CW before being transmitted to a multiplexer Mp 
for subsequent transmission. As will be seen from the 
lower part of Rgure 3. the transmitted data includes an 
ECM conprising, inter alia, the corrtrd word CW as 
encrypted by an encrypter Chi controlled by a first 
35 encryption key Kex. At the receiverAJecoder, the signal 
passes by a demultiplexer DMp and descranrbler D 
before being passed to a television 2022 for viewing. A 
decryption unit DChI also possessing the key Kex 
decrypts the ECM in the demultiplexed signal to obtain 
40 the control word CW subsequentiy used to descramble 
the signal. 

[0074] For security reasons* the control word CW 
embedded in the encrypted ECM changes on average 
every 10 seconds or so. In contrast, the first encryption 

45 key Kex used by tiie receiver to decode the ECM is 
changed every month or so by means of an operator 
EMM. The encryption key Kex is enaypted by a secorKi 
unit ChP using a personalised group key K1(GN)- If the 
subscriber is one of those chosen to receive an updated 

so key Kex, a decryption unit DChP in the decoder will 
decrypt the message using its group key K1(GN) to 
obtain that month*s key Kex. 

[0075] The decryption units DChp and DChI and the 
associated keys are heM on a smart card provided to 
55 the subscriber and inserted in a smart card reader in the 
decoder. The keys may be generated, for example, 
according to any generally used symmetric key algo- 
rithm or in accordance with a customised symmetric key 
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algorithm. 

[0076] As will be described, different keys may be 
associated with different operators or broadcasters as 
well as with the conditional access system supplier. In 
the above description, a group key K1(GN) is held by 
the smart card associated with the decoder and used to 
decrypt EMM messages. In practice, different operators 
will have different subscriber unique keys K1 (Opi , GN), 
K1 (Op2, GN) etc. Each group key is generated by an 
operator and diversified by a value associated with the 
group to which the subscriber belongs. Different mem- 
ory zones in the smart card hold the keys for different 
operators. Each operator may also have a unique key 
associated solely with the smart card in question and an 
audience key for all subscriders to the services provided 
by that operator (see above). 
[0077] In addition, a set of keys may also be held by 
the manager of the conditional access system. In partic- 
ular, a given smart card may include a user specific key 
KG (NS) and an audience key K1 (C), comnnon to all 
smart cards. Whilst the operator keys are generally 
used to decode EMM messages associated with broad* 
cast rights, the conditional access manager keys may 
be used to decrypt EMM messages associated with 
changes to conditional access system in general, as will 
be described below. 

[0078] The above description of the system shown in 
Figure 3 relates to the implementation of access control 
in a broadcast system In which transmissions are 
desaambled by a decoder and displayed immediately. 
Referring to Figure 4. the elements of an access control 
system for recordal and repaying of scrambled trans- 
mission will now be described. 
[0079] As before, a decoder 12 receives scrambled 
broadcast transmissions via a receiver 11. The decoder 
includes a portable security module 30, which may con- 
veniently take the form of a smart card, but which may 
comprise any other suitable memory or microprocessor 
device. The decoder 12 includes a modem channel 16, 
for exarrple, for communicating with servers handling 
conditional access information and is also adapted to 
pass descrambied audiovisual display information, e.g. 
via a Peritel link 53, to a television 1 3. The system addi- 
tionally includes a digital recorder 50, such as a DVHS 
or DVD recorder, adapted to communicate with the 
decoder, for example, via an IEEE 1394 bus 51. The 
recorder 50 receives a digital support (not shown) on 
which information is recorded. 
[0080] The recorder 50 is further adapted to function 
with a portable security module 52 containing, inter alia, 
the keys used to control access to the replaying of a 
recording. The portable security module may comprise 
any portable memory and/or microprocessor device as 
is conventionally known, such as a smart card, a PCM- 
CIA card, a microprocessor key etc. In the present case, 
the portable security module 52 has been designated 
as a SIM card, known from the field of portable tele- 
phones. 



[0081 ] The digital recorder 50 includes a direct link 54 
to the display 13. In alternative realisations, digital audi- 
ovisual information may be passed from the recader 50 
to the decoder 1 2 prior to display. Equally, whilst the ele- 

5 ments of decoder 12, recorder 50 and display 13 have 
been indicated separately, it is conceivable that some or 
all of these elements may be merged, for example, to 
provide a combined decoder/television set or combined 
decoder/recorder etc. 

10 [0082] Similarly, whilst the invention will be discussed 
in relation to the recording of audiovisual broadcast 
information, it may also conveniently be applied, for 
example, to broadcast audio information subsequently 
recorded on a DAT or minidisc recorder or even a broad- 

15 cast software application recorded on the hard disc of a 
computer. 

[0083] A first and second embodiment of the invention 
will now be described with reference to Figures 5 to 1 1 
and 12 to 19, respectively. In the first embodiment a 

20 central server is used to handle the generation and 
safeguard of the keys permitting access to a recording. 
Furthermore, in this embodiment, the real time deayp- 
tion and descrambling of a broadcast is earned out by 
the SIM card of the recorder prior to recordal. In the sec- 

25 ond embodiment, the decoder smart card manages the 
safeguard of recording access keys and also plays a 
part in the real time decryption and decoding of broad- 
cast transmissions. 

30 First Embodiment 

[0084] Referring to Figure 5, the structure of the mem- 
ory zones in the smart card 30 and SIM card 52 associ- 
ated with the decoder and recorder, respectively, will 

35 now be described. 

[0085] As shown, the decoder smart card 30 includes 
a number of keys adapted to function witii a symmetric 
encryption/decryption algorithm associated with the 
conditional access system. In the present example, a 

40 custom algorithm "CA" is used for operations generally 
associated with access to the broadcast transmission. 
This is to distinguish from the operations carried out by 
the SIM card 52 using the DES algorithm and which are 
generally associated witii tiie recordal and playback of 

45 information on the digital support (see below). 

[0086] The first set of keys, associated with the condi- 
tional access system manager indicated in the zone 55, 
are implanted in the smart card at the moment of per- 
sonalisation. These keys include a key KG diversified by 

so a number NS unique to that card. The system manager 
zone 55 may also include other keys, such as an audi- 
ence key K1 (not shown) diversified by a constant C and 
common to all smart cards handled by tiie conditional 
access system manager. 

55 [0087] A second zone 56 contains the keys associated 
witii one or more broadcast operators. These keys may 
be implanted at the moment of personalisation of tiie 
card 30 by the conditional access system manager but 
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are more equally created by means of a special trans- 
mitted EMM message at the start up of a decoder. 
[0088] As mentioned at)Ove, the operator keys may 
typically include & KG' diversified by a number NS 
unique to that card, a group key KV diversified by a 
group nuniber GN and an audience key K2' diversified 
by a constant Z and common to ail subsaiber card 
addressed by that operator. 

[0089] Finally, the smart card includes the value of the 
unique number NS of that card, Implanted at the 
moment of personalisation and held in the zone 57 of 
the smart card memory. 

[0090] As is shown, the SIM card 52 associated with 
the digital recorder Includes two sections 58, 59 associ- 
ated with keys and operations candied out using the CA 
and DES algorithms, respectively. The section 59 asso- 
ciated with operations using the CA algorithm includes a 
first system manager zone 60 and an operator zone 61 . 
The keys in the system manager zone are implanted in 
the card at the nx)ment of personalisation by the condi- 
tional access system manager and include a key KO 
diversified by the serial nurrd^er NSIM of the SIM card 
as well as a communications transport key T also diver- 
sified by the serial nuvrbBt NSIM of the card. Both keys 
are unique to tine SIM card in question. 
[0091 ] TTie SIM card further includes an operator zone 
61 adapted to store keys associated with one or more 
operators, in tiie present Figure 5, tfie SIM card is 
shown as it is at the moment of its creation and person- 
alisation by the conditional access system manager and 
before insertion in a recorder. For tfiis reason, both the 
operator zone 61 and tiie DES zone 58 are shown as 
trfank, i.e. without any stored keys. 
[0092] Finally, the SIM card includes a zone 63 
adapted to hoM the unkijue SIM card serial number 
NSIM. 

[0093] As mentioned above, in this embodiment, the 
recorder SIM card 52 is adapted to handle the real time 
decryption and desaambling of broadcast data autono- 
mously and independent of the smart card 30 associ- 
ated with the decoder. In order to carry out tiiese 
operations, it is necessary for the recorder SIM card 52 
to possess a double of the keys usually held in the sys- 
tem manager and operator zones 55. 56 of the decoder 
smart card (see Figure 5). As will be described, once 
the necessary keys are installed in the recorder SIM 
card 52. the decoder 12 will thereafter pass the broad- 
cast transmission stream "as is" to the digital recorder 
50 and card 52. 

[0094] in this embodiment, the generation of duplicate 
broadcast related keys is managed by the central condi- 
tional access system 21 , the cOgital recorder 50 acting to 
transmit a request to the appropriate server, e.g. via the 
modem link provkled by the decoder 12. Alternatively, It 
may be envisaged that tiie recorder itself will be 
equipped with a nKxJem to carry out tills request. In this 
embodiment, tiie central conditional access system 
serves to regulate botii transmission access control 



keys and. as will be described recording access control 
keys 

[0095] In order to enable the central conditional 
access system server to generate a double of tiie keys 

5 associated with tiie decoder smart card it Is necessary 
ttiat tiie request message from the recorder SIM card 
Includes an identification of tiie kJentlty of the decoder 
smart card (e.g. the smart card serial number NS) as 
well as provkJing secured confirmation of its own kien- 

10 tity. 

[0096] As a first step therefore, the decoder smart 
card 30 communicates its serial number NS and a list of 
operators Opi, Op2 etc. to the SIM card 52. For rea* 
sons of security, this communication may itself be 

75 encrypted by a simple ti-ansport encryption algorithm 
applied to all communications between the decoder 12 
and recorder 50. To avoid unnecessary conplexity in 
tiie Figures, the keys associated witii this encryption are 
not shown. The decider card serial number NS Is then 

20 stored in the system manager zone of tiie SIM card. 
[0097] The recorder SIM card 52 then sets up a com- 
munication with tiie conditional access system 21 and 
requests the unk)ue number NMERE of tiie conditional 
access system 21 at tiie condtional access server (see 

25 Figure 2). Using the Information tiius obtained, the 
recorder SIM card 52 generates a message using the 
CA algorithm, as shown in Fig. 6. 
[0098] In the convention adopted in the accompanying 
drawings, the symmetric algoritiim to be used in a given 

30 cryptographic step (CA or DES) is kJentified within an 
oval. The data to be enaypted and/or tiie data serving 
as a diversifier is kJentif led as amving via a blacked out 
Input to tiie oval. See the encryption of the smart card 
number and operator list at 70 in Figure 6. Deayption 

35 steps are distinguished using an inverse power sign, for 
exanple CA'^ or DES'V 

[0099] As a first step in Figure 6, the smart card 
number NS and operator list are encrypted by tiie key 
KO (NSIM) as shown at 70 to generate a message 71 

40 comprising the SIM card serial number NSIM and the 
encrypted data. At a second step 72. the enaypted data 
is again re-encrypted by the key T (NSIM, NMERE), 
aeated by diversifying tiie key T (NSIM) by a unique 
value NMERE associated with tiie conditional access 

45 system. As will be understood, the steps 70, 71 may be 
carried out in tiie inverse order. The message 73 and 
signature thus formed are then sent to the conditional 
access server 21 , ciphering unit 24 and motiier card 25. 
[01 00] TTie conditional access system 21 decrypts the 

so message as shown In Figure 7. The system possesses 
tiie original key KO shewn at 76. Diversifying the key KO 
with the NSIM value contained In the message, as 
shown at 77, generates tiie key KO (NSIM). The key KO 
(NSIM) Is first used to valklate the signature at 78. In the 

55 event that tiie signature is not valkJ. the analysis of the 
message ends, as shown at 81 . 
[01 01 ] In addition to tiie key KO, the system also pos- 
sesses tiie transport key T or at least the key T 
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(NMERE) representing the value of this key T diversified 
by unique conditional access system number NMERE. 
Diversifying T (NMERE) by the value NSIM contained in 
the message enables the system to generate the key T 
(NSIM. NMERE). For the sake of simplicity, the steps in 5 
the preparation of this key have not been shown in Fig- 
ure 7. 

[0102] Equipped with keys KO (NSIM) and T (NSIM. 
NMERE), the system manager can then deaypt the 
message at 79 to obtain the decoder smart card serial 10 
number NS and the list of operators associated with the 
subscriber in question. The system manager then fur- 
ther verifies that the list of operators does indeed match 
the smart card serial number and thereafter assembles 
in an EMM message the duplicate key values that will is 
be needed by the recorder SIM card to decrypt a trans- 
mission, including a duplicate of the smart card system 
manager key KO (NS) as well as the various operator 
keys KG* (Opi, NS). Kl' (Opi, GN) etc. 
[01 03] The access system also prepares a recording 20 
transport key RT (A) which will be subsequently used by 
the SIM card in controlling access during the recording 
and playback of a digital recording, as will be discussed 
in more detail below. In accordance with the choice of 
algorithm preferred for dealing with the recording, this 25 
key will be prepared from a DES key RT diversified by a 
random number A. The key RT is always present in the 
mother card and a copy of the value A is maintained for 
safeguard purposes in a database associated with the 
system operator. In this way, the value RT (A) may be 30 
regenerated at any moment. 
[0104] The smart card duplicate keys KO (NS). KO' 
(Opi , NS), Kex etc. and the recording transport key RT 
(A) are then formatted into an EMM message sent to the 
recorder SIM card. For security reasons, this message 35 
is encrypted by the key KO (NSIM) to ensure that only 
the correct SIM card can obtain this information. 
[0105] For any subsequent change or update, for 
example, in relation to the operator keys or other access 
rights, the SIM card (as a copy of the smart card) will 40 
receive all EMM/ECM messages needed to decrypt 
broadcast transmissions. 

[01 06] Referring to Rgure 8, the state of the recorder 
SIM card 52 immediately prior to the recordal of a 
broadcast transmission will now be described. As 45 
shown, the digital recorder card 59 now includes com- 
plete system manager and operator zones 60, 61 as 
well as a stored value the DES recording transport key 
RT (A) shown at 85. In addition, the card generates a 
recording encryption key E (NE) shown at 86 and so 
obtained by diversifying at 87 a DES key E shown at 88 
by a random value NE shown at 89. In this case, the key 
E(NE) is used as a type of session key and may be 
changed between recordings. The pair of keys E (NE) 
and RT (A) will subsequently be used in all encryption ss 
and decryption of the digital recording. 
[01 07] Referring to Figure 9, the steps in the treatment 
by the recorder of an ECM message assodated with a 



broadcast transmission will now be described. After the 
arrival of an ECM message at 90, the card verifies at 91 
that it has the rights to read this particular transmission, 
for example, that it is a transmission from one of the 
operators in its list of operators. If so, the encrypted con- 
trol word CW is extracted from the ECM at the step 92. 
If not, the processing stops at step 93. Using that 
month's exploitation key Kex for the operator in question 
shown at 94. the card decodes at 95 the encrypted 
value to obtain the control word CW in clear, as shown 
at 96. 

[0108] The recorder card then re-encrypts at 97 the 
control word CW using the DES key E (NE) shown at 98 
and prepares an ECM including the newly encrypted 
control word for Insertion in the data stream to replace 
the previous ECM. The scrambled transmission 
together with the sequence of new ECM messages are 
then recorded on the support in the digital recorder. 
[0109] Simultaneously and as shown at step 101 in 
Figure 10, the SIM recorder card encrypts the value E 
(NE) shown at 100 using the recording transport key RT 
(A) shown at 1 02, so as to generate a special EMM type 
message 103. This EMM message is then recorded on 
the digital recording support at the start or header of the 
recording. As will be understood from the foregoing 
description, other than the safeguard copy held at the 
conditional access system database, the key RT (A) is 
unique to the recorder card and this EMM message may 
not be decrypted by cards other than the recorder card 
that generated the message. 
[01 1 0] Referring to Figure 1 1 , the steps in the decryp- 
tion and descrambling of a recording will now be 
described. Firstly, the EMM message 1 1 1 at the head of 
the recording is decrypted at 110 using the recording 
transport key 112 stored in the SIM card. Assuming the 
EMM message was originally created using the same 
recording transport key the result of the deayption step 
110 will be the recording encryption key E (NE) at 116. 
[0111] As the recording is played, ECMs 113 are 
picked out from the data stream and decrypted at step 
1 14 using the recording encryption key E (NE) to obtain 
at step 1 15 the control word CW used to scramble that 
part of the data stream associated with the ECM. This 
control word CW Is then fed together with the scrambled 
audiovisual data to a descrambling unit, either In the 
recorder SIM card or in the recorder itself, and a 
descrambled audiovisual output obtained for subse- 
quent display via the television display or the like. 
[01 1 2] As will be understood, the presence of a safe- 
guard means for preparing a copy of the transport key 
RT (A) at the mother card 25 of the central access con- 
trol system means that, in the event of loss or destruc- 
tion of the recorder SIM card 25, it will be possible to 
reconstruct a new recorder card to allow playback of 
previously made recordings. 
[01 1 3] The above embodiment is particularised by the 
fact that the recording transport key RT (A) is generated 
and safeguarded at a central server and also by the fact 
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that the recorder SIM card contains a duplicate of the 
necessary operator keys to independently decrypt and 
desaambie a real time transmission. The second 
embodiment, described below in Figures 12 to 19 does 
not suffer from these constraints, but descrtoes a reali- 
sation in which the decoder smart card plays a more 
important role. 

Second Embodiment 

[01 1 4] Referring to Figure 1 2, the structure of the con- 
ditional access zones in the decoder smart card 30 and 
recorder SIM card 52 in such a system are shown. As 
before, both cards include zones reserved for opera- 
tions using the OA algorithm and storage of key data, in 
particular system manager zones 55, 60 arxl operator 
zones 56, 61. 

[01 1 5] In the present embodiment, the system man- 
ager zone 55 of the decoder card 30 includes, in addi- 
tion to the key KO (NS). an audience key K1 (C) 
common to all cards personalised and managed by the 
system manager and formed by the diversification of a 
CA key by a constant value C. This key K1 (C) is also 
present in the system management zone 60 of the 
recorder card 52. 

[0116] The other significant change in comparison 
with the zone structure of the previous embodiment is 
that the smart card 30 is additionally provided with the 
DES algorithm and includes a DES operating zone 120. 
[01 17] In order to enable the decoder smart card and 
recorder SIM card to work together and. in particular, to 
enable the eventual generation of a recording transport 
key TR, it is necessary for a mutual authentification of 
both cards to be carried out. 

[0118] As shown in Rgure 13. as a first step 121 the 
recorder SIM card 52 requests a random nurrtoer from 
the decoder smart card 30 which returns the number A1 
at 122. This number is then used to diversify the audi- 
ence key K1 (C) at step 123 to generate the key K1 (C. 
Al) shown at step 124. The SIM card then generates a 
second random number A2 shown at 125. which is in 
turn encrypted by the key K1 (C. Al) at 126. Before 
communication to the smart card, this message is again 
encrypted and signed at 128 by a second key K1 (C. 
NSIM) shown at 127 and formed by diversifying the 
audience key K1 (C) by the value NSIM. The message 
129 thus formed is sent as a request for serial number 
NS and associated individual key K0(NS) to the 
decoder smart card 30. 

[01 1 9] Referring to Figure 1 4, on an-ival at the decoder 
smart card 30, the communicated value NSIM is used 
by the smart card to generate the key K1 (C, NSIM). The 
value of A2 is then deaypted at 130 using this key and 
the key K1 (C, A1) obtained by the smart card using the 
random number A1 that it had previously generated and 
stored in its menx>ry. 

[0120] This random nunfA>er value A2 obtained at 131 
is then used to diversify the audience key K1 (C) to 



obtain tiie key K1 (C. A2) shown at 132. The key K1 (C, 
A2) then enaypts the smart card unique serial number 
NS and system key KO (NS) at 133 to aeate the mes- 
sage 134. 

5 [0121] As before, this message is then re-encrypted at 
135 using the key K1 (C. NSIM) shown at 136 and the 
message retumed to the recorder SIM card 52 as 
shown at 137. 

[01 22] The recorder SIM card generates the keys K1 

10 (C. A2) and K1 (C, NSIM) shown at 138 by diversifying 
the key K1 (C) by the NSIM serial number and the pre- 
viously generated and memorised random number A2. 
These keys are used to decrypt at 1 39 the messages so 
as to obtain the unique serial nurr^er NS and unique 

75 system manager key KO (NS) of the smart card, this 
information thereafter being recorded in tiie memory of 
tiie recorder SIM card at 140. 
[01 23] Unlike ttie previous embodiment, in which dou- 
bles of all system manager and operator keys were 

2X> taken to ensure independent operation of the recorder 
SIM card, the double key KO (NS) and the smart card 
serial number NS are used to set up a session key for 
recording and to enable secure communication 
between the cards during a recording sessbn, notably 

25 to enable secure communication of a recording trans- 
port key 

[01 24] In this embodiment, the initial decryption of the 
CW is handled by the smart card using the operator 
keys and monthly exploitation keys that it possesses. 
30 Whilst it is conceivable that tiie control word CW couW 
be passed directly to the SIM card during the creatbn of 
a recording it is desirable for security reasons to use a 
session key to transport the control word CW for this 
purpose. 

35 [0125] Rgure 15 shows one way of creating such a 
key As shown, the recorder SIM card picks a random 
key K3 shown at 141 and diversifies this key at 142 with 
tiie SIM card serial number NSIM shown at 143. The 
key K3 may be taken from any one of a number of such 

40 keys stored for this purpose in the system manager 
zone. The CA session key K3 (NSIM) thus created at 
144 is then encrypted at 145 using tfie previously 
obtained smart card system manager key KO (NS) 
shown at 146. The message 147 thus generated is 

45 thereafter transmitted to the decoder smart card 55 
which uses its key KO (NS) to deaypt the message at 
148 and store the session key K3 (NSIM) in the memory 
of the card at step 149. 

[01 26] Referring to Figure 1 6, the state of the recorder 
so SIM card prior to a recording operation will now be 
described. The system manager zone 60 includes the 
smart card key KO (NS) and the session key K3 (NSIM) 
as well as the normally present system keys KO (NSIM) 
etc. (not shown). In addition, the card creates a DES 
55 recording encryption key from a DES key E shown at 
150 by diversifying tiiis key at 151 by a random value 
NE shown at 152. As before, the resulting recording 
encryption key E (NE) will be used in the re-encryption 



21 



EP0936 812A1 



22 



of the control words associated with a program. Simi- 
larly, a recording transport key RT (A) shown at 153 is 
generated to be used to encrypt the recording encryp- 
tion key E (NE) also recorded on the digital support 
medium. 

[0127] Unlike the pres/ious embodiment, in which the 
recording transport key was generated at the access 
control server, the key RT (A) is generated by the 
recorder SIM card itself using a DES key diversified by 
a random number A. In order to safeguard a copy of this 
key a copy is communicated to the decoder smart card. 
For obvious security reasons, this copy Is communi- 
cated in encrypted form, for example, as encrypted by 
the smart card key KO (NS) currently stored in the SIM 
card memory. 

[01281 Referring to Figure 20, upon first insertion in 
the decoder the recorder SIM card 52 first sends a 
request 190 to the smart card to see if a value of RT(A) 
has already been generated. An evaluation is carried 
out by the decoder smart card at 1 91 . 
[0129] If the answer is negative, the recorder SIM card 
52 generates a random DES key RT at 1 92, which value 
is diversified at 193 by a random value A shown at 194 
to generate the key RT(A) shown at 195. This key value 
RT(A) is then enaypted at 196 using the custom algo- 
rithm and the key KO(NS) shown at 197 and the result- 
ing message 198 then sent to the decoder smart card 
30 for decryption and safeguard of the key RT(A). 
[0130] If the determination at 191 is positive, then the 
previously stored value of RT(A) is sent back at 199 to 
the recorder SIM card 52. 

[0131] Referring to Figure 17. the operations of the 
decoder smart card 30 during recording of a scrambled 
transmission will now be described. As mentioned 
above, in this embodiment, the decoder smart card han- 
dles the initial decryption steps using the operator keys 
before communicating the value of the control word CW 
to the recorder SIM card 52. 

[01 32] As shown, the decoder smart card 30 receives 
an ECM 160 for processing in the operator zone 56. 
Firstly, the smart card 30 checks that it has the rights to 
access this program. Assuming that this is the case, the 
encrypted code word CW is extracted from the ECM at 
162 and decrypted at 163 using the appropriate exploi- 
tation key Kex shown at 164. Otherwise, the process 
ends as shown at 165. 

[0133] As mentioned above, the clear value of the 
control word CW shown at 166 cannot be directly com- 
municated to the recorder SIM card. Accordingly, the 
control word CW is encrypted at 167 using the session 
key K3 (NSIM) shown at 168 and the resulting value 169 
communicated to the recorder card SIM for the next 
steps in the process. 

[0134] Refen'Ing to Figure 18, the control word 
encrypted by the session key is received by the recorder 
SIM card 52 which carries out a decryption process at 
170 using the equivalent of the session key K3 (NSIM) 
previously stored in memory shown at 171. The clear 



value of the control word CW at 172 is then passed to 
the DES zone of the card for encryption at 1 73 using the 
recording encryption key E (NE) shown at 174. The 
resulting encrypted value is then encapsulated in an 

s ECM and inserted in the data stream for recordal with 
the still scrambled data on the recording support. 
[01 35] At the same time and in a similar manner to the 
first embodiment, the recording encryption key value 
shown at 180 in Figure 19 is encrypted at 181 using the 

10 recording transport key RT(A) shown at 1 82. The result- 
ing encrypted value 183 is encapsulated in an EMM for 
recordal in the header of the digital recording. 
[0136] During replay of the recording, and as 
described before in relation to Figure 11, the EMM at 

IS the start of a recording containing the recording encryp- 
tion key E (NE) is decrypted by the recorder SIM card 
using the recording transport key RT (A). The recording 
encryption key E (NE) is then used to decrypt each 
ECM so as to obtain the control word CW associated 

20 with that particular section of the scrambled recording. 
The recording is then descrambled and played. 
[01 37] As will be understood, the presence of a safe- 
guard copy of the recording transport key RT (A) stored 
in the decoder smart card means that, in the event of 

25 loss or breakdown of the recorder SIM card, a replace- 
ment recorder card may be generated. Unlike the previ- 
ous emtxxdiment, however, it is not necessary to use a 
centralised server to maintain this duplicate copy. 
[0138] As will be understood, alternative embodi- 

30 ments may be envisaged. For example, in the above 
embodiments the encryption recording key E (NE) is 
generated using a key and a random number. However, 
in alternative embodiments the key E (NE) may be gen- 
erated from a key diversified by the serial number of the 

35 recording device itself (i.e. not the recorder SIM card) to 
link a given recording to both the recorder SIM card and 
the recording device. 

[0139] Similarly, certain elements of the first embodi- 
ment such as 'a centralised transport key store and an 
40 autonomously operating recorder are independent from 
each other and may be used in the second embodi- 
ment, and vice versa. 



Claims 



45 



1. A method of recording transmitted digital data in 
which transmitted digital information is encrypted 
by a recording encryption key (E(NE)) and stored 
by a recording means (50) on a recording support 

50 medium and characterised in that an equivalent of 
the recording encryption key (E(NE)) is encrypted 
by a recording transport key (RT(A)) and stored on 
the support medium together with the encrypted 
information. 

55 

2. A method as claimed in claim 1 in which the infor- 
mation encrypted by the recording encryption key 
(E(NE)) comprises control word Information (CW) 
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usable to descramble a scrambled data transmis- 
sion also recorded on the support medium. 

3. A method as claimed in claim 1 or 2 in which the 
recording enayption key (E(NE)) and/or recording s 
transport key (RT(A)) are stored on a portable 
security module (52) associated with the recording 
means (50). 

4. A method as claimed in any preceding daim in io 
which the transmitted information is encrypted prior 

to transmission and received by a decoder means 
(12) before being communicated to the recording 
means (50). 

15 

5. A method as claimed in claim 4 in which the 
decoder (50) is associated with a portable security 
nrKxiule (30) used to store transmission access con- 
trol keys (KO(NS), K0'{Op1,NS) etc.) used to 
decrypt the transmitted encrypted information. 20 

6. A method as claimed in claim 5 in which the record- 
ing encryption key (E(NE)) and/or recording trans* 
port key (RT(A)) function in accordance with a first 
encryption algorithm (DES) and the transmission 25 
access control keys (KO(NS). K0'(Op1,NS)etc.) 
function in accordance with a second encryption 
algorithm (CA). 

7. A method as claimed in any preceding daim in 30 
which the recording transport key (RT(A)) is gener- 
ated at a central recording authorisation unit 

(21 .24,25) and a copy of this key communicated to 
the recording means (50). 

35 

8. A method as claimed in claim 7 in which the record- 
ing transport key (RT(A)) is preferably encrypted by 
a further enayption key (KO(NSIM)) prior to being 
communrcated to the recording means (50). 

40 

9. A method as claimed in any preceding daim in 
which a central access control system (21,24,25) 
communtoates transmission access control keys 
(KO(NS). K0*(Op1,NS) etc.) to the recording means 

(50). 45 

10. A method as claimed in claim 9 in which the trans- 
mission access control keys (KO(NS), K0'(Op1,NS) 
etc.) are communicated to a portable security nrKxJ- 

ule (52) associated with the recording means (50). so 

11. A method as claimed in claim 9 or 10 in which the 
recording means (50) directly descrambles trans- 
ntitted information using the transmission access 
keys (KO(NS), KOXOpI .NS) etc.) prior to re-enayp- 55 
tion of the information by the recoiding encryption 
key (E(NE)) and storage on the support medium. 



12. A metiiod as claimed in any of claims 9, 10 or 1 1 in 
which the central access control system (21, 24, 
25) preferably encrypts the broadcast access con- 
trol keys (KO(NS), KO'(Opl.NS) etc.) by a further 
encryption key (KO(NSIM)) prior to their communi- 
cation to tiie recording means (50). 

13. A metiiod as daimed in any of claims 9 to 12 in 
which ttie recording means (50) sends a request to 
the central access control system including infor- 
mation identifying the broadcast access keys 
needed (K0(NS). K0XOpl,NS) etc.). the request 
being authentified by the recording means (50) 
using a key (KO(NSIM)) unque to that recording 
means. 

14. A method as daimed in daim 1 using a decoder 
means (12) and assodated security module (30) 
and a recording means (50) and associated secu- 
rity module (52) and in which a copy of the record- 
ing transport key (RT(A)) is stored in tiie security' 
module (30) assodated with ttie decoder means 
(12). 

15. A method as daimed in claim 14 in which the 
recording transport key (RT(A)) is generated by tiie 
recording security module (52) or decoder security 
module (30) and communicated to the other secu- 
rity module. 

16. A method as daimed in claim 15 in which tiie 
recording transport key (RT(A)) is preferably 
encrypted before communication to the otfier secu- 
rity nxxlule and decrypted by a key unique 
(KO(NS)) to that other security nfKXtule. 

17. A method as daimed in claim 16 in which tiie 
decoder security module (30) and recording secu- 
rity module (52) cany out a mutual authorisation 
process, the unique decryption key (KO(NS)) being 
passed to ttie otiier security module from the 
encrypting security module depending on the 
results of the mutual authorisation. 

1& A method as daimed in claim 17 in which tiie 
mutual authorisation step is canried out using, inter 
alia, an audience key K1(C) known to both security 
modules (30.52) diversified by tiie serial number 
(NS, NSIM) of each module. 

19. A method as daimed in any of daims 14 to 18 in 
which the decoder security module (30) possesses 
ti'ansmission access contrd keys (KO(NS). 
KOXOpl.NS) etc.) to decrypt the tiansmitted infor- 
mation in an encrypted form and a session key 
(K3(NSIM)) re-encrypt the information prior to com- 
munication to the recording security module (52), 
tiie recording security module (52) possessing an 
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equivalent of the session l^ey (K3(NSIM)) to decrypt 
the Information prior to encryption by the recording 
transport l<ey (RT(A)). 

20. A method as claimed in claim 19 in which the ses- s 
sion key (K3(NSIM)) is generated by the decoder 
security module or recording means security nrxxJ- 
ule (52) and communicated to the other module in 
encrypted form using an encryption key (KO(NS)) 
uniquely decryptaUe by the other security module. io 

21. A recording means (50) adapted for use in a 
method as claimed in any preceding claim compris- 
ing a security module (52) for encrypting transmit- 
ted digital information by a recording encryption key is 
(E(NE)) for storage on a recording support medium 
and characterised In that the security module (52) 

is further adapted to encrypt the recording encryp- 
tion key (E(NE)) by a recording transport key 
(RT(A)) for storage on the support medium. 20 

22. A portable security module (52) adapted for use in 
the recording means of claim 21 and characterised 
in comprising a recording encryption key (E(NE)) 

for encryption of transmitted digital information for 2S 
subsequent recordal and a recording transport key 
(RT(A)) for encryption of the recording encryption 
key for subsequent recordal. 

23. A decoder means (20) adapted for use in a method 30 
as claimed in any of claims 14 to 20 including a 
security module (30) adapted to store a copy of the 
recording transport key (RT(A)). 

24. A decoder means (20) as claimed In claim 23 35 
including a security module (30) adapted to 
descramble transmitted Information using one or 
more transmission access keys (KO(NS), 
K0'(Op,NS) etc.) prior to reencryption by a session 
key (K3(NSIM)) for subsequent communication to a 40 
recording means. 

25. A portable security module (30) adapted for use In 
the decoder means (20) of claim 23 or 24 and com- 
prising at least a copy of the recording transport key 45 
(RT(A)). 
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Fig.3. 
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Fig.6. 
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Fig.8. 
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